Microsoft Uncovers Russian Cyber Attack on Foreign Embassies

Microsoft has recently identified a sophisticated cyber operation orchestrated by state-sponsored hackers from Russia, targeting foreign embassies based in Moscow. The attackers employ adversary-in-the-middle (AiTM) techniques, manipulating local Internet Service Providers (ISPs) to intercept and redirect online interactions of the embassies.

This operation, traced back to last year, showcases how ISPs, which are mandated to assist the Russian government, are exploited. Microsoft's threat intelligence team has linked this activity to a group named Secret Blizzard, marking the first confirmed instance of such attacks leveraging ISP-level control.

Secret Blizzard, an extremely active hacking group reportedly connected to the Russian Federal Security Service, uses AiTM to conduct cyber espionage. This allows them to lead targeted embassy personnel to seemingly legitimate but malicious websites, facilitating the installation of a malware known as ApolloShadow.

Objective: Install ApolloShadow

The primary goal of this campaign is to propagate ApolloShadow, a custom malware. It installs a TLS root certificate on systems within targeted embassies, enabling Secret Blizzard to impersonate trusted websites cryptographically. The malware has been observed initiating its attack through captive portals—devices that typically manage access in public networks—ensuring its operation mimics legitimate internet services.

A notable tactic involves displaying a web page that seems authentic but diverts users to download the ApolloShadow malware. It masquerades as a legitimate software, often fooling users into granting it higher access permissions on their systems through what appears to be a standard update process.

Once ApolloShadow secures the necessary system privileges, it often modifies network settings to facilitate further infiltration, although direct lateral movement was not observed. This modification primarily loosens restrictions on network discovery and file sharing—a key aspect for its intended intelligence gathering.

Microsoft has highlighted the persistence of ApolloShadow, emphasizing its potential to maintain a continual presence within compromised systems. Organizations operating in sensitive regions, particularly Moscow, are advised to employ encrypted communication channels through trusted ISPs to mitigate the risks posed by similar cyber threats.